package com.atguigu.jdbc;

import java.sql.*;
import java.util.Scanner;

/**
 * projectName: day04_jdbc
 *
 * @author: 赵伟风
 * time: 2021/11/26 15:03
 * description: 静态statement的问题演示
 *    TODO 1.注入攻击
 *           静态sql语句靠的是字符串拼接条件！
 *           可以在拼接的字符串上动手脚。改变原有sql语句结构！产生错误的结果！这就是注入攻击！
 *
 *         2.执行用字符串进行语句拼接！如果是非字符串类型参数是无法插入的！
 *           静态的Statement只能插入字符串类型的数据！
 */
public class JdbcError
{

    public static void main(String[] args) throws ClassNotFoundException, SQLException {
        //1.注册驱动
        Class.forName("com.mysql.jdbc.Driver");
        //2.获取连接
        String url = "jdbc:mysql://localhost:3306/test1";
        String user = "root";
        String password = "root";
        Connection connection = DriverManager.getConnection(url,user,password);
        //3.创建statement
        Statement statement = connection.createStatement();

        System.out.println("请您输入账号！");
        Scanner scanner = new Scanner(System.in);
        String account =  scanner.nextLine();
        System.out.println("请您输入密码！");
        String pwd = scanner.nextLine();


        //4.编写sql语句
        String sql = "select *  from user where account = '"+account+"' and password = '"+pwd+"';";


        ResultSet resultSet = statement.executeQuery(sql);

        ResultSetMetaData metaData = resultSet.getMetaData();
        int columnCount = metaData.getColumnCount();


        while (resultSet.next()) {
            for (int i = 1; i <= columnCount; i++) {

                String string = resultSet.getString(i);

                System.out.println("string = " + string);
            }
        }

        //7.关闭资源

        resultSet.close();

        if (statement != null) {
            statement.close();
        }

        if (connection != null) {
            connection.close();
        }

    }


}
